forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathattempt_to_deactivate_okta_network_zone.toml
42 lines (38 loc) · 1.45 KB
/
attempt_to_deactivate_okta_network_zone.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
[metadata]
creation_date = "2020/11/06"
maturity = "production"
updated_date = "2021/07/20"
integration = "okta"
[rule]
author = ["Elastic"]
description = """
Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to
a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta
network zone in order to remove or weaken an organization's security controls.
"""
false_positives = [
"""
Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are
regularly modified.
""",
]
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Deactivate an Okta Network Zone"
note = """## Config
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm",
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
]
risk_score = 47
rule_id = "8a5c1e5f-ad63-481e-b53a-ef959230f7f1"
severity = "medium"
tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:okta.system and event.action:zone.deactivate
'''